Websense® Security Labs™ researchers are continuing the analysis of a sophisticated malware attack which has been observed to conduct espionage against Russian, Saudi Arabian, and Irish targets, amongst others.

Regin, as the malware family (or toolkit) has been named, is both modular and multi-stage, making the malware extremely customizable. Regin also uses advanced techniques to hide its activity, including custom encryption and the use of custom UDP and TCP protocols.

At the time of writing we can confirm our knowledge of publically-available Indicators of Compromise used in both version 1 of Regin (pre-2011) and version 2 of Regin (2013 onwards) and we have committed those to ACE, our Advanced Classification Engine.

Threat Modelling

When such sophisticated attacks are broken down into their constituent parts, we look to our threat modelling system of the 7 Stages of Advanced Threats. This helps us to build a clearer picture of risk based on information known at any given time.

7 stages of Advanced Threats:

For Regin we can arrive at the following mapping :

Stage 1 (Reconnaissance): The authors of Regin are believed to be knowledgeable about the industry sectors targeted and have tailored the malware to suit. Further, due to the modular nature of the attack, components can be added to suit the approach required by the malware authors based on their reconnaissance discoveries. It would seem that the number of target organizations is currently low.

Stage 2 (Lure): Uncertainty remains around the lures used by the Regin toolkit, but it is thought to involve compromised websites and a means to get those in front of the target. Most likely the lure would arrive via email, instant message communications, or drive-by attacks hosted on compromised websites.

Stage 3 (Redirect): Due to the varying options around the lure stage it is uncertain whether the redirect stage is used by Regin. Not all malware families subscribe to the all of the prescribed 7 Stages.

Stage 4 (Exploit Kit): Exploit code is often used to deliver payloads onto vulnerable machines. It is not always necessary for a vulnerability to be abused by malware, but it could be a possibility with the Regin toolkit considering its advanced nature.

Stage 5 (Dropper): Once the dropper has been deployed, Regin offers a multi-stage download-and-decrypt process to deliver its system files onto the infected machine. Note that it has been reported that non-traditional file storage areas such as the registry are used by Regin during its configuration phase. The security community is still hunting for the illusive dropper file, although we do have knowledge of, and have committed to our protection engine, multiple device drivers used in the payload's download process.

Stage 6 (Call Home): Regin's control communication is not just specific to the HTTP protocol. The use of UDP and TCP have also been observed. Further, custom encryption based on existing algorithms seek to hide the transmission of stolen data from solutions not looking out for the use of such custom encryption.

Stage 7 (Data Theft): Reports show that data stolen by the toolkit is not always committed to disk, instead sealed in memory only making analysis difficult.

Conclusion

Regin uses many complex methods to evade detection and make analysis difficult. The observed trend indicates the complexity of such malware will continue to increase as malware authors fine-tune their skills and adopt such modular and multi-stage malware.

As we continue our analysis and discover further Indicators of Compromise, we shall continue to enhance our protection using ACE, our Advanced Classification Engine. We have configured our ThreatSeeker® Intelligence Cloud to seek out further Indicators of Compromise and we are using technologies such as Yara to help achieve that and supplement our own analytics.